Jonathan Mercier

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.5.12 SUSE Rancher versions prior to 2.6.3 **Description** The issue allows administrators of third-party repositories to gather credentials sent to their servers due to an incorrect authorization vulnerability. This occurs when a user configures access credentials to a private repository in Rancher inside `Apps & Marketplace > Repositories`. An insufficient check of the same-origin policy when downloading Helm charts from a configured private repository can lead to exposure of the repository credentials to a third-party provider. This happens when the private repository does an HTTP redirect to a third-party repository or external storage provider, or downloads an icon resource for the chart hosted on a third-party provider. The address of the private repository is not leaked, only the credentials are leaked in the HTTP `Authorization` header in base64 format. **Recommendations** For SUSE Rancher versions prior to 2.5.12, update to version 2.5.12 or later. For SUSE Rancher versions prior to 2.6.3, update to version 2.6.3 or later. As a temporary workaround, check the Helm charts in your configured private repository for possible redirects to third-party storage, and for Helm chart icons from third-party sources. Evaluate any Helm chart that might lead to the mentioned scenario and change affected credentials if deemed necessary.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.4.18 SUSE Rancher versions prior to 2.5.12 SUSE Rancher versions prior to 2.6.3 **Description** An Improper Access Control issue in SUSE Rancher allows users to retain privileges that should have been revoked. This occurs due to an incomplete authorization logic check when removing a Project Role associated with a group from a project, resulting in the bindings that grant access to cluster-scoped resources not being deleted. A user who is a member of an affected group with authenticated access to Rancher could exploit this to access resources they should no longer have access to. The exposure level depends on the original permission level granted to the affected project role. **Recommendations** For SUSE Rancher versions prior to 2.4.18, update to version 2.4.18 or later. For SUSE Rancher versions prior to 2.5.12, update to version 2.5.12 or later. For SUSE Rancher versions prior to 2.6.3, update to version 2.6.3 or later. As a temporary workaround, limit access in Rancher to trusted users.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.5.10 **Description** A Improper Access Control issue allows remote attackers to impersonate arbitrary users. This is due to the Steve API proxy not dropping the impersonation header before sending the request to the Kubernetes API, allowing an authenticated user to impersonate any user on a cluster. A malicious user with authenticated access could use this to impersonate another user with administrator access, receiving administrator level access in the cluster. **Recommendations** For versions prior to 2.5.10, upgrade to release 2.5.10, 2.6.0, or later versions to resolve the issue. As a temporary workaround, limit access in SUSE Rancher to trusted users.

Name of the Vulnerable Software and Affected Versions: Rancher versions prior to 2.5.9 Rancher versions prior to 2.4.16 Description: An Improper Access Control issue in Rancher allows users in the cluster to make requests to cloud providers by creating requests with the cloud-credential ID, and Rancher attaches the requested credentials without further checks. Recommendations: For versions prior to 2.5.9, update to version 2.5.9 or later. For versions prior to 2.4.16, update to version 2.4.16 or later.

**Name of the Vulnerable Software and Affected Versions** Rancher versions prior to 2.5.9 Rancher versions prior to 2.4.16 **Description** A vulnerability in Rancher allows users in the cluster to act as other users by forging the `Impersonate-User` or `Impersonate-Group` headers. This issue is related to errors in processing input data and can be exploited by a remote attacker to escalate privileges. The vulnerability can be exploited by passing the `Impersonate-User` or `Impersonate-Group` header in the Connection header of an API request to the proxy for the Kubernetes API of a managed cluster. This allows a malicious Rancher user to gain access to information they do not have access to. **Recommendations** For Rancher versions prior to 2.5.9, update to version 2.5.9 or later. For Rancher versions prior to 2.4.16, update to version 2.4.16 or later. As a temporary workaround, consider restricting access to the `Impersonate-User` and `Impersonate-Group` headers in the Connection header until a patch is available. Avoid using the `Impersonate-User` and `Impersonate-Group` headers in API requests to the proxy for the Kubernetes API of a managed cluster until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Rancher versions prior to 2.5.9 Rancher versions prior to 2.4.16 **Description** A vulnerability in Rancher allows users in the cluster to modify resources they should not have access to due to incorrect permission assignment. This issue can be exploited by a remote attacker to change resources in the cluster. The affected resources include various components of downstream clusters and the Rancher management cluster, such as apservices, clusters, and projects. **Recommendations** For Rancher versions prior to 2.5.9, upgrade to version 2.5.9 or later. For Rancher versions prior to 2.4.16, upgrade to version 2.4.16 or later. As a temporary workaround, consider restricting access to sensitive resources until a patch is applied. Avoid using the vulnerable `apps.*` API group in the affected API endpoints until the issue is resolved. Restrict access to the vulnerable modules, such as `github.com/rancher/rancher`, to minimize the risk of exploitation.